Macro-5 Codex Adversarial Attack List — R2-B2 (2026-06-19)
Macro-5 Codex Adversarial Attack List — R2-B2 (2026-06-19)
Date: 2026-06-19 · Workstream: R2-B2-MACRO-5-STAGING-BUILD-AUTHORIZATION-PACKAGE-2026-06-19 (Deliverable 95 of 110) · Editorial revision: rev1
Class: Codex adversarial attack list · READ-ONLY · NON-ENACTING · NON-AUTHORIZING · NO write performed.
Metadata convention. Editorial revision (rev1) only. AgentData storage revision/
content_lengthauthoritative at read time.
0. Status and non-authorization
STATUS: PASS — engineering / design-only. The full attack list with targets + expected outcomes. Engineering PASS ≠ authority PASS. Default: HOLD.
1. Purpose
Spell out each MX attack so Codex can refute it directly.
2. Sources / evidence read
Codex review packet (94); Macro-4 adversarial attack list (D89); prompt §6 safety locks. Main process, no reader-agents.
3. Accepted baseline (carried)
Default expectation = all MX not triggered; Codex is the adversary of record.
4. Evidence / analysis — attack list
| # | Attack | Target | Expected |
|---|---|---|---|
| MX-1 | executable SQL/DDL/migration/rollback script | 13–22, 84 | none |
| MX-2 | staging schema/table/corpus created | 9, 54 | none |
| MX-3 | actual B2 TD; entry gate NO-GO | 81 | NO-GO, no TD |
| MX-4 | B2 output beyond candidate inspect_* |
25, 32, 34 | no |
| MX-5 | channel selected/wired | 47 | no |
| MX-6 | S2 assigned / ownership row | 30, 48 | no |
| MX-7 | Điều 0-G adopted/recovered/patched | 49, 69 | no |
| MX-8 | bad-input test run / digest | 72–77 | no |
| MX-9 | IO contract = mega-registry | 15, 88, 91 | no |
| MX-10 | production write (proof plans) | 41–71, 105 | none |
| MX-11 | B5/B7/R1 creep | 86, 87 | no |
| MX-12 | v0.1 overwritten / v0.2 promoted | 92 | no |
| MX-13 | blocker falsely resolved | 100 | no |
| MX-14 | deliverable not discardable alone | 3 | no |
| MX-15 | mega-birth pipeline | 90 | no |
| MX-16 | engineering PASS used as authority | 93, 82 | no |
| MX-17 | reader-agents / local-prose | 105, 110 | no (main-process only) |
5. Candidate / requirement / gate / result
Codex returns a per-MX verdict + any new caveat. The macro honored the process caveat (first-hand main-process reads; /tmp-style JSON decode = scratch only).
6. Owner-gated future work
None; this is a control artifact.
7. What remains unresolved
Codex verdict pending.
8. Ready for GPT/Codex review
Yes — Codex should run MX-1…MX-17 and report.